In June 2025, the UK’s Data Protection and Digital Information Act received Royal Assent, marking a key shift for B2B marketers managing data-driven strategies. This law reshapes how marketing teams handle data across the UK and beyond, going deeper than simple compliance. It clarifies longstanding issues like legitimate interest marketing and consent frameworks, while addressing practical aspects such as cookie management and AI-powered profiling. For marketing leaders, adapting to these changes is essential to stay competitive and compliant.
A Win for Legitimate Interest and Consent Models
The act brings much-needed clarity on using legitimate interest as a legal basis for direct marketing. Previously, many companies defaulted to requesting explicit consent due to uncertainty, even when legitimate interest applied. The new legislation confirms that legitimate interest is a valid ground for direct marketing, reducing unnecessary consent requests and fragmented data flows.
If your team has been relying heavily on consent where legitimate interest is appropriate, it’s time to revisit your approach. However, any updates should be reviewed with legal experts to ensure compliance and avoid risk. The key takeaway: you can do less now, but “less” still means responsible data use aligned with the law.
Toward a More Frictionless Web Experience
The treatment of cookies in the act simplifies user engagement, though not as radically as early drafts suggested. For B2B websites, non-essential cookies used for statistical purposes or content alignment no longer require explicit opt-in. This reduces the need for intrusive pop-ups that have long interrupted digital journeys.
Marketers focused on conversion optimisation will welcome this change. Data on session duration, video engagement, and navigation patterns can be collected more smoothly, as long as privacy isn’t compromised. Updating cookie banners and consent scripts in collaboration with legal and web development teams is a necessary next step.
International Data Transfers: Uncertainty Abroad
While the law modernises domestic data governance, questions remain about international data transfers. This is crucial for global B2B firms using cloud-based marketing technologies. The act clarifies UK-based data processing but its alignment with EU and other international regulations is still unclear.
Businesses relying on offshore CRM, marketing automation, or analytics platforms should work closely with legal and IT teams to manage compliance risks. Until clearer agreements are in place, standard contractual clauses (SCCs) and updated international data transfer agreements remain vital tools.
AI, Profiling and Predictive Analytics
The act takes a pragmatic stance on AI and profiling. Previously, most profiling required explicit consent, which was impractical given current marketing practices. Now, profiling without explicit consent is allowed, provided it doesn’t lead to significant negative decisions affecting individuals.
This opens the door for more dynamic AI-powered marketing techniques such as lead scoring, personalisation, and predictive analytics. B2B marketers can leverage AI tools more confidently, but ethical and privacy-by-design principles must remain central to development and deployment.
First-Party Data Strategies
With third-party cookies fading, first-party data becomes more valuable. The act supports building direct, value-driven relationships with audiences through transparent data collection methods like gated content, newsletter sign-ups, and enriched CRM forms.
Marketers should focus on offering clear value to encourage willing data sharing. Tools like premium insights, ROI calculators, and tailored reports help build trust and loyalty. This approach isn’t just compliant—it creates a competitive advantage by making customer data a core asset.
Operational Adjustments: What To Do Now?
Marketing operations leaders should use this moment to audit and streamline data practices. Key focus areas include:
- Consent mechanisms: Align forms, pop-ups, and backend processes with updated rules on legitimate interest and consent.
- Cookie scripts: Simplify banners to reflect exemptions for non-intrusive tracking.
- CRM systems: Review segmentation and targeting logic to ensure profiling complies with permissions.
- International hosting: Confirm offshore data storage follows evolving cross-border rules.
If your organisation previously over-complied out of caution, now is the time to trim excess. Still, sensitive data use demands full regulatory attention. Strengthening internal governance, staff training, and teamwork between marketing, legal, and IT will smooth this transition.
Digital Verification and AI-Driven Fraud Protection
The act introduces provisions supporting digital identity verification to combat AI-generated fraud, impersonation, and data breaches. While aimed mainly at consumer protection, these measures also benefit B2B environments by improving the verification of business contacts and partnership authenticity.
Secure digital verification can now be used more freely, without extra permissions, helping defend against deepfakes and spoofed identities in sales and procurement channels. Integrating digital identity tools into CRM and onboarding processes can enhance both security and trust.
Beyond Compliance: Toward Competitive Differentiation
This legislation is more than just a compliance update. By clarifying legal bases for marketing, reducing consent friction, and enabling responsible AI use, it empowers marketers to engage audiences with confidence and efficiency.
Although international data transfer rules remain in flux, UK B2B marketers have an opportunity to optimise data strategies now. Those refining consent processes, enhancing user experience, and embedding ethical AI profiling will reduce risk and stand out in a data-driven market.
Using the new act as a foundation to build trust and deliver personalised value will make data governance a strategic asset—not just a regulatory obligation.
Your membership also unlocks:
